The Cybersecurity 202: Why cybersecurity experts are so concerned about the health-care industry

Stethoscopes hang in a nurses' station in the emergency room at Perry Memorial Hospital in Princeton, Ill., on Sept. 1, 2017. (Photo: Daniel Acker/Bloomberg)

New research released by two security companies paints an unsettling picture for the health-care industry: Hackers are stepping up their attacks on hospitals and other health organizations that may be ill prepared to defend against the wave of malicious activity.

In its quarterly threat report unveiled Tuesday, cybersecurity company Rapid7 found that the health-care sector experienced a surge in cyberattacks during the first quarter of 2018 — so many that it ranked as the top-targeted industry in the first three months of the year.

The spike marked a continued shift away from attacks on the financial, professional and administrative services industries as hackers seek to take advantage of health organizations’ aging and complex IT systems, which are difficult to secure quickly, according to Rapid7.

Right on the heels of Rapid7’s research, the Internet of Things security firm Pwnie Express is going live this morning with an unrelated survey containing more troubling news: In a poll of more than 500 security professionals, 51 percent of them said the health-care and public-health sectors were the least prepared for cyberattacks. The pros said the industry was the most vulnerable among the country's 16 critical infrastructure sectors — and 85 percent of them said a major cyberattack on critical infrastructure was likely in the next five years.

Health organizations “have a lot of work to do” to secure their systems, said Rebekah Brown, Rapid7’s head of threat intelligence.

“Given everything we know about how the health-care sector operates and some of the legacy systems they use, they are probably more vulnerable than other sectors based on the systems they use alone,” she told me.

The health-care sector makes an appealing target for hackers for a few reasons, according to Brown. For one, hospitals and insurers keep troves of data that are easy for a cybercriminal to monetize — such as billing and insurance information. The biggest risks to most patients are identity theft and fraud.

But personal health records carry a different kind of value for more sophisticated attackers. Information about someone’s personal or family health history could be used for blackmail or phishing, or help an adversary masquerade as someone else. State-sponsored attackers could use such details for intelligence purposes, according to Brown.

“Any information they can get on someone they’ve targeted is useful little pieces that become valuable, even if they’re not monetizable,” she said.

Hospitals are vulnerable in part because they often rely on equipment that’s built to last 15 to 20 years, meaning it runs older software that’s trickier to update than, say, a typical office computer. And with so many hospital devices interconnected, it’s hard to tell how an update to one will affect other equipment in the system.

The problem extends from MRI machines to the devices nurses wear on their wrists that remind workers to wash their hands, said Todd DeSisto, chief executive of Pwnie Express. “Those are great in terms of productivity enhancements, but you’re also more exposed because they’re all connected to the Internet,” he told me.

DeSisto also said the health-care and energy sectors are particularly at risk because of the range of devices they use. “The IoT [Internet of Things] penetration is higher in those environments because these are sophisticated pieces of equipment,” he said. “There’s lots of different kinds of attack points.They’re ripe targets.”

We've seen this in practice. Just last month, the cybersecurity company Symantec revealed that an attack group called Orangeworm was targeting the health-care industry and had infected malware on X-ray and MRI machines. Orangeworm was also observed meddling in machines used to help patients fill out consent forms, according to Symantec.

Brown said it was important to note that the spike in attacks on the health-care sector didn’t necessarily mean a spike in successful attacks — indeed, plenty of attempts failed. But health organizations should take note of the growing threat and respond carefully, she said.

“The fact that they’re still trying, that they don’t just fail and give up, shows that this is a true interest,” Brown said. “And they seem determined to see what they can do.”

You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.

PINGED: The U.S. government has identified a suspect in a massive leak of CIA hacking tools that were published by WikiLeaks last year, but prosecutors have been unable to bring charges against him, The Washington Post's Shane Harris reports.

“Joshua Adam Schulte, who worked for a CIA group that designs computer code to spy on foreign adversaries, is believed to have provided the agency’s top-secret information to WikiLeaks, federal prosecutors acknowledged in a hearing in January,” Harris writes. WikiLeaks published the code in March 2017 under the label “Vault 7.” Current and former intelligence officials told Harris that last year's leak, which revealed cyberweapons and spying techniques that might be turned against the United States, was among the most serious in the agency's history.

But Schulte is being held in jail in Manhattan on unrelated charges. “Federal authorities searched Schulte’s apartment in New York last year and obtained personal computer equipment, notebooks, and handwritten notes, according to a copy of the search warrant reviewed by The Washington Post," Harris writes. "But that failed to provide the evidence that prosecutors needed to indict Schulte with illegally giving the information to WikiLeaks.”

A general view on May 2 in Londonof the office building that used to be occupied by the now-defunct Cambridge Analytica. (Photo by Chris J Ratcliffe/Getty Images)

“Prosecutors have questioned potential witnesses in recent weeks, telling them that there is an open investigation into Cambridge Analytica — which worked on President Trump’s election and other Republican campaigns in 2016 — and ‘associated U.S. persons,’” Rosenberg and Confessore report. “But the prosecutors provided few other details, and the inquiry appears to be in its early stages, with investigators seeking an overview of the company and its business practices.”

The news of the investigation comes as Christopher Wylie, a former Cambridge Analytica employee who has publicly criticized the company, is scheduled to appear this morning before the Senate Judiciary Committee to answer questions about the firm.

President Trump at the White House on May 14. (Photo by Jabin Botsford/The Washington Post)

PWNED: The White House is eliminating its cybersecurity coordinator position, Politico's Eric Geller reports. “According to an email sent to National Security Council staffers Tuesday, the decision is part of an effort to 'streamline authority' for the senior directors who lead most NSC teams,” Geller writes.

Rob Joyce, who held the White House's top cyber policy job, left the position last week and is set to return to the National Security Agency. And Trump's new national security adviser John Bolton did not want to replace him, Geller reports. The decision came in an email Tuesday from a Bolton aide — despite a slew of experts and lawmakers who urged against scrapping the position.

In a series of tweets, Sen. Mark R. Warner (D-Va.), vice chairman of the Senate Intelligence Committee, urged Trump not to allow the position to be cut because it's the only one “in the federal government tasked with delivering a coordinated, whole-of-government response to the growing cyber threats facing our nation.”

Mr. President, if you really want to put America first, don’t cut the White House Cybersecurity Coordinator — the only person in the federal government tasked with delivering a coordinated, whole-of-government response to the growing cyber threats facing our nation. https://t.co/MRkwA8et7y

Here’s the point: we should be investing in our nation’s cyber defense, not rolling it back. We also need to articulate a clear cyber doctrine. I don’t see how getting rid of the top cyber official in the White House does anything to make our country safer from cyber threats.

Reps. Jim Langevin (D-R.I.) and Ted Lieu (D-Calif.) introduced a bill, titled the Executive Cyberspace Coordination Act, to essentially reinstate the cybersecurity coordinator position and create a National Office for Cyberspace in the White House. Lieu said the bill would fill the void left by the White House's cancellation of the cyber policy job, a decision he called “outrageous.”

“A coordinated effort to keep our information systems safe is paramount if we want to counter the cyber threats posed by foes like Russia, Iran and China,” Lieu said in a statement. “To do anything less is a direct threat to national security.”

CHAT ROOM

— The termination of the White House cybersecurity coordinator position lit up Twitter:

From Langevin:

We have had three excellent #cybersecurity coordinators since the late, great Howard Schmidt originated the position. It is an enormous step backwards to deemphasize this growing challengehttps://t.co/VWYJ8hMpKm

From George Little, a former spokesman for the CIA and the Defense Department:

The Trump White House has eliminated its senior cybersecurity coordinator position. This is yet another bad move for a government that still needs a senior voice to address the complex array of cyber challenges across agencies and departments. This is a step backwards.

Homeland Security Secretary Kirstjen Nielsen at the White House on April 4. (Photo by Jabin Botsford/The Washington Post)

— The Department of Homeland Security on Tuesday published a 35-page report presenting the agency's cybersecurity strategy for the next five years “to keep pace with the evolving cyber risk landscape.”

“The cyber threat landscape is shifting in real-time, and we have reached a historic turning point,” Homeland Security Secretary Kirstjen Nielsen said in a statement. “Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself.” The agency's goals include reducing vulnerabilities within federal government information systems, partnering with key stakeholders to protect critical infrastructure and countering transnational criminal organizations.

— Trump signed an executive order aiming to give more authority to federal agencies' chief information officers. You can read the order here.

— William R. Evanina, Trump's nominee for director of the National Counterintelligence and Security Center, told Sen. Angus King (I-Maine) during his confirmation hearing yesterday that he agrees with the intelligence community's assessment that Russia interfered in the presidential election to undermine the public’s confidence in the democratic process and help get Trump elected.

Separately, in response to a question by Sen. Marco Rubio (R-Fla.), Evanina also said that he would not use a phone from ZTE, the Chinese tech company that Trump promised to bring back from the brink of collapse:

President Donald Trump has signed an executive order that will elevate the role of agency CIOs. The order, which was signed Tuesday afternoon, will require that agency CIOs report directly to the agency head.

Atlanta's 2019 budget process has been delayed by a March cyber attack that scrambled a swath of government data, temporarily closing courts, halting bill payments and slowing other key services in the most devastating "ransomware" assault on a major U.S. city, a city spokesperson said on Tuesday.

— Facebook is starting to lift the veil of secrecy over its enforcement of the rules on the social network. The company announced Tuesday that it removed about 583 million fake accounts and 837 million pieces of spam during the first quarter of the year. It was the first time that Facebook released numbers about the content that it takes offline.

“We believe that increased transparency tends to lead to increased accountability and responsibility over time, and publishing this information will push us to improve more quickly too,” Guy Rosen, Facebook's vice president of product management, said in a statement. “This is the same data we use to measure our progress internally — and you can now see it to judge our progress for yourselves.”

In addition from fake accounts and spam, Facebook also said it took down content that includes graphic violence, adult nudity and sex, terrorist propaganda and hate speech, Rosen wrote. He added that the company needs to review the technology that it uses to remove hate speech because it “still doesn't work that well.”

Jillian York, director for international freedom of expression at the Electronic Frontier Foundation, told the New York Times's Sheera Frenkel that Facebook was making the right call by releasing the information. "It’s a good move and it’s a long time coming," York told Frenkel. “But it’s also frustrating because we’ve known that this has needed to happen for a long time. We need more transparency about how Facebook identifies content, and what it removes going forward.”

Big Ben at the Palace of Westminster in London on Feb. 23. (Photo by Laura Hynd for The Washington Post)

— Despite this transparency push, it looks like there are some questions about data privacy and other issues that Facebook isn't ready to answer yet. Rebecca Stimson, Facebook UK's head of public policy, told a British parliamentary committee in a letter that Facebook chief executive Mark Zuckerberg “has no plans to meet with the committee or travel to the UK at the present time,” the Verge's Jacob Kastrenakes reports.

Stimson's letter answered multiple questions from the British lawmakers, but Damian Collins, the committee's head, didn't seem impressed. “If Mark Zuckerberg truly recognises the 'seriousness' of these issues as they say they do, we would expect that he would want to appear in front of the Committee and answer questions that are of concern not only to Parliament, but Facebook’s tens of millions of users in this country,” Collins said in a statement.

Twitter Inc on Tuesday revised its strategy for fighting abusive internet "trolls," saying it would use behavioral signals to identify harassers on the social network and then limit the visibility of their tweets.

Reuters

THE NEW WILD WEST

WikiLeaks founder Julian Assange speaks to the news media from the balcony of the Ecuadoran Embassy in London on May 19, 2017. (Photo by Jack Taylor/Getty Images)

“Documents show the intelligence programme, called 'Operation Guest', which later became known as 'Operation Hotel' — coupled with parallel covert actions — ran up an average cost of at least $66,000 a month for security, intelligence gathering and counter-intelligence to 'protect' one of the world's most high-profile fugitives,” they write.

Additionally, a source told the Guardian that Assange infiltrated the embassy's communications systemand intercepted the correspondence of the staff. WikiLeaks denied those claims and said it would file a lawsuit.

— Researchers from mobile security company Lookout said Tuesday that they have identified spying tools used to monitor Android phones and mobile devices using Apple's operating system iOS as part of an intelligence-gathering operation by members of Pakistan's military.

“Our investigation indicates this actor has used these surveillanceware tools to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians,” according to Lookout's report.

The data that was extracted from compromised devices includes government documents, travel information, pictures of IDs and other information, according to the report.

Russian antivirus-software company Kaspersky Labs said it would relocate significant operations from Russia to Switzerland, after the U.S. and U.K. governments said the company could be vulnerable to Moscow interference.